New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 670457 link

Starred by 2 users
Status: Fixed
Owner:
natashenka@google.com
Last visit > 30 days ago
Closed: Feb 2017
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug-Security
M-X



Sign in to add a comment

Security: [FG-VD-16-088] Adobe Flash Player Handing MP4 Out-of-Bounds Read Vulnerability

Reported by kevinlu0...@gmail.com, Dec 1 2016 
VULNERABILITY DETAILS
It is a out-of-bounds read vulnerability in MP4 processing. 

VERSION
Adobe Flash Player  23.0.0.207
Other versions may be affected too

REPRODUCTION CASE
put LoadMP42.swf and FG-VD-16-088_PoC.mp4 on a server and load http://127.0.0.1:8080/LoadMP42.swf?file=FG-VD-16-088_PoC.mp4
run the following command line.
flashplayer_23_sa_207.exe http://127.0.0.1:8080/LoadMP42.swf?file=FG-VD-16-088_PoC.mp4

Credits:
  This vulnerability was discovered by Kai Lu of Fortinet's FortiGuard Labs.

Note: I tested this case and it can be reproduced stably in standalone player(pageheap enabled)and other browsers, such as Firefox , IE on Windows 10 Pro x64 and Windows 7 x64. Repros inconsistently on Chrome ,I need more time to investigate the reason.
FG-VD-16-088_PoC.mp4
1.4 MB View Download
LoadMP42.swf
1.0 KB Download
crashlog.txt
4.9 KB View Download

Comment 1 by och...@chromium.org, Dec 1 2016

Owner: natashenka@google.com
Status: ExternalDependency (was: Unconfirmed)
Natalie, mind taking a look at this one?

Comment 2 by natashenka@google.com, Dec 1 2016 

Reproduced the crash on Windows 7. Will report to Adobe.

Comment 3 by natashenka@google.com, Feb 13 2017 

This was fixed as CVE-2017-2991

Comment 4 by kevinlu0...@gmail.com, Feb 16 2017 

This is PSIRT-6100.

Comment 5 Deleted

Comment 6 by awhalley@chromium.org, Feb 20 2017

Labels: reward-topanel
Status: Fixed (was: ExternalDependency)

Comment 7 by awhalley@chromium.org, Feb 20 2017

Labels: Security_Severity-Medium Security_Impact-Stable
Project Member

Comment 8 by sheriffbot@chromium.org, Feb 21 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 9 by awhalley@chromium.org, Feb 28 2017

Labels: -reward-topanel reward-unpaid reward-1000

Comment 10 by awhalley@chromium.org, Feb 28 2017 

Congratulations! The panel decided to award $1,000 for this bug!

Comment 11 by awhalley@chromium.org, Feb 28 2017

Labels: -reward-unpaid reward-inprocess

Comment 12 by kevinlu0...@gmail.com, Mar 1 2017 

thanks!

Comment 13 by awhalley@google.com, Mar 31 2017

Labels: M-X
Project Member

Comment 14 by sheriffbot@chromium.org, May 30 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 15 by sheriffbot@chromium.org, Jul 28

Labels: Pri-1

Sign in to add a comment